A health trust that exposed the private details of 6,574 members of staff on its website has been fined £185,000 by UK data privacy watchdogs.
Blackpool Teaching Hospitals NHS Foundation Trust inadvertently published workers’ confidential data including their National Insurance number, date of birth, religious beliefs and sexual orientation in March 2014. The Trust failed to notice its mistake for 10 months. Even after the penny dropped it took a further five months to alert affected staff, who had been left at heightened risk of identity theft and other scams as a result of their employers’s data handling incompetence.
Stephen Eckersley, head of enforcement at the Information Commissioner’s Office (ICO), commented: “This trust played fast and loose with the highly sensitive and private information that was entrusted to them. It seems they ignored their duty to put rules in place to protect staff who deliver hospital services to others.
“Any measures taken to protect this information from reaching the public domain were woefully inadequate or non-existent. The fact that the error went unnoticed for so long beggars belief,” he added.
The exposed information was volunteered by staff as part of the Trust’s commitment to publish annual equality and diversity metrics on its website. The Trust failed to notice that the published spreadsheets contained more than just aggregated stats but also contained hidden data that became visible by simply double-clicking the table. The oversight meant personal details of individual members of staff were inadvertently revealed.
An ICO blog post, Now you don’t see it, now you do – the dangers of hidden data, from last November offers guidance on how organisations can guard against making similar slip-ups.
The Blackpool case is not unprecedented. For example, Torbay NHS Trust (report here) and Islington Council both received penalties for inadvertently publishing hidden data. ®